Earlier this year, there was some buzz over new IoT-related legislation passed in California, the so-called “Teddy Bears and Toasters Act.” It turns out the California IoT law may be the tip of the iceberg when it comes to legislative interest in the Internet of Things and related digital technologies, judging by a list put together by Alain Louchez, who heads the Center for the Development of the Application of Internet of Things Technologies (CDAIT) at Georgia Tech:
The list, which Louchez shared at the recent IoT for Manufacturing workshop at Georgia Tech, includes pending bills at the federal level. It includes everything from the Smart Manufacturing Leadership Actto the Secure and Protect Americans’ Data Act.
Most of these may seem unfamiliar except to sponsors and the lobbyists who helped write them, but that should come as no surprise considering they are still at a rough stage, with many stuck in committee or pending other types of review. Judging by the gridlock in Congress, few will ever be passed into law, but one thing’s for sure: IoT has Washington’s attention.
I’ve attended tech conferences for years, and I have come to expect a certain amount of grumbling from users about vendors. But at the IoT for Manufacturing workshop at Georgia Tech, there didn’t seem to be much in the way of bad vibes directed at vendors.
Indeed, most speakers and attendees expressed a sense of gratitude that vendors were providing solutions to some of their very real problems on the plant floor. They know that it’s impossible to design these solutions on their own (although some have tried with limited pilots with off-the-shelf hardware and software) so they have to work with someone to get the results that they want. Occasionally that involves academic partners such as the Georgia Tech Manufacturing Institute(which has architectures and designs for retrofitting kits available to manufacturing partners, as shown in the slide below) but often vendors and systems integrators get involved in a big way.
In addition to supplying much-needed technology solutions, I heard over and over how much people appreciated the declining costs of components. Heath Cates of Mountville Mills mentioned the use of low-cost hubs to connect sensors, PLCs and other devices at their main facility. William Hill, who helps run digitization efforts at Delta Airlines’s sprawling machine shop said the company spends about $1,200 to $1,500 to retrofit a piece of legacy equipment, which he considered to be a reasonable cost. He also praised the cost structure of one of Delta’s main IoT partners.
Lance Johnson of aerospace supplier Moog Inc. said they were able to develop low-cost IoT systems working with its IT team and vendors. However, he also acknowledged that during the evaluation phase they identified enterprise software vendors whose high cost and “nebulous ROI” was unworkable. “It was a no-go for us,” he said.
One attendee questioned the “false promises” offered by many vendors, which he said leads to frustrations down the road about what the products and solutions can actually accomplish. But that was one of the only comments I heard that was generally negative on vendors in the IoT space.
Tim Merel offered another insight at the ARinAction event that was unrelated to augmented reality: “Computer Vision and Machine Learning are further into the cycle,” compared to augmented reality.
He predicted a new generation of AI giants could emerge in the next 3-5 years. Who will it be? That’s literally a billion-dollar question that is driving the VCs crazy. Of course there are the usual suspects (Google, Amazon, IBM, Facebook, etc.) but also consider that Chinese companies such as Baidu are also investing heavily in this area, and may be much further along than American companies.
On the other hand, maybe the next AI giant may come from an unexpected place, much like Amazon (1990s online book merchant) has emerged to become one of the leading online retailers, cloud service providers, and streaming content, not to mention grocery, logistics, and other services.
There are two new serious security vulnerabilities out in the wild that affect everyone reading this article. You can read the background on Spectre (affects almost all semiconductors made by Intel, AMD, and others) and Meltdown (Intel, Qualcomm, and one type of ARM chip) but the big question for industrial users is how it will impact operations.
The short answer is: No one knows for sure. In theory, Meltdown allows “deep access” to kernel operations, which could affect everything from gateways to cloud servers. Spectre could afflict “all modern processors capable of keeping many instructions in flight” including smartphones. So far, no attacks have been observed in the wild, but we all know how that story goes. It’s only a matter of time before the baddies exploit the vulnerabilities.
In the meantime, industrial vendors have started to issue advisories and patches, especially for Meltdown (Spectre requires a complete redesign of the chip’s architecture, and fixes are apparently limited). Security Week has a rundown of statements and advisories from Rockwell, Siemens, Schneider Electric, ABB, and BD. Other patches and advisories include:
One of the biggest concerns about the fixes is the performance hit, widely reported to be 30% based on benchmarks. Industrial security expert and PPR regular Joe Weiss summed up the problem for industrial users:
“We have a lot of older systems and a lot of these older systems are very resource constrained. When you’re talking about possibly a 30 percent hit on performance, that can actually shut down many of our older legacy control systems. The cure could be much worse than the disease.”
Endpoint: Meltdown and Spectre are serious security vulnerabilities whose impact will be felt for many years to come. Reduced performance can take some older systems offline, a prospect that may force some users to upgrade their own systems. Infrastructure vendors know this, and will surely play up the FUD element to boost sales and maintenance contracts.
The fallout from the Meltdown and Spectre CPU bugs rolls on. There’s a lot of reading on this topic, but here are some of the bullets you need to know:
- According to one experienced tester, the Meltdown patches “introduce the largest kernel performance regressions I’ve ever seen.”
- The early patches might be causing more harm than good … and it’s not just the performance hit. As noted by Security Week, “Both microcode and software updates designed to address the Spectre and Meltdown vulnerabilities have turned out to be buggy, often making systems unbootable or causing them to reboot more frequently.” Major software vendors including Microsoft stopped the patches due to instability.
- Intel is coming out with a new set of patches that supposedly avoid the reboots and other problems noted earlier. But considering Intel’s history of attempting to spin its way out of this PR mess and releasing half-baked fixes, I would take the news with a grain of salt.
- Long-term, the entire world has a big security problem on its hand that won’t be fixed until silicon platforms are rearchitected AND older systems are patched or replaced. This could take years.
If you’re trying to play catch-up with these flaws, the best to start is on this page created by security researchers, which includes links to advisories and patches put out by major vendors.